maxkabakov - Fotolia
Microsoft Windows Defender Device Guard offers a variety of capabilities, but IT professionals must enable Device Guard properly.
First, IT pros must ensure that the underlying hardware meets the minimum requirements for Device Guard. This includes a 64-bit processor with virtualization extensions, such as Intel VT-x, AMD-V and extended page tables; Trusted Platform Module 2.0; Unified Extensible Firmware Interface (UEFI) 2.3.1.c or later with Secure Boot enabled; and Hypervisor Enforced Code Integrity compatible Windows drivers.
In addition, IT must handle firmware updates through Windows Update, and the system must support Hardware Security Test Interface standards.
Enabling Windows Defender Device Guard
To enable Windows Defender Exploit Guard and Application Control features, IT can use desktop management tools including Group Policy, Microsoft System Center Configuration Manager, Windows PowerShell and Microsoft Intune.
The Windows Defender Device Guard features are virtualization-based, so IT must enable Hyper-V before they deploy anything from Device Guard. For example, endpoints running Windows 10 Enterprise or Education editions can enable Hyper-V through the Windows Features dialog by typing "Turn Windows features on or off" in the Search dialog on the Taskbar.
After IT enables Hyper-V, it can open the Local Group Policy Editor -- gpedit.msc. Desktop administrators can launch the editor directly by typing "gpedit.msc" in the Run bar, or through Windows Search by typing "gpedit.msc" in the Search bar and selecting the corresponding applet from the results. If the file is not found, IT may need to install the Local Group Policy Editor.
Once the Local Group Policy Editor starts, desktop admins should navigate to the "Computer Configuration\Administrative Templates\System\Device Guard" key and locate the "Turn On Virtualization Based Security" policy entry. IT pros should double-click the entry, enable the desired feature and select options such as Secure Boot and UEFI lock. After configuring the features, IT pros should close the Local Group Policy Editor and restart the computer.
If administrators would prefer to use Windows PowerShell to manage Windows Defender Device Guard features, Microsoft provides a Device Guard and Credential Guard hardware readiness tool which runs a PowerShell script to check hardware and enable Device Guard.
Dig Deeper on Windows 10 security and management
Related Q&A from Stephen J. Bigelow
Regression tests and UAT ensure software quality and both require a sizeable investment. Learn when and how to perform each one, and some tips to get... Continue Reading
Learn the meaning of functional vs. nonfunctional requirements in software engineering, with helpful examples. Then, see how to write both and build ... Continue Reading
Just because software passes functional tests doesn't mean it works. Dig into stress, load, endurance and other performance tests, and their ... Continue Reading